CRGA™ Framework

Governance Architecture — Not Execution

Praesidium Governance, Inc. serves exclusively as a governance architecture authority and category steward.

CRGA™ is a governance architecture. It does not deliver cybersecurity operations, managed services, software implementation, audits, or compliance execution.

Execution firms implement controls and operate environments. Governance architecture defines decision rights, assigns accountability, establishes escalation discipline, and documents defensible oversight evidence.

The distinction is structural and must be preserved.

Why CRGA™ Exists

Technology-enabled enterprise risk exceeds the scope of traditional cybersecurity and compliance frameworks.

Operational controls address execution. Regulatory frameworks define obligations. Neither establishes how boards and executives govern accountability for material risk.

As digital infrastructure, automated systems, and algorithmic decision-making increase in complexity, the gap between operational risk management and fiduciary oversight becomes structural.

This gap is not technical.

It is governance.

CRGA™ exists to define the governance architecture required to allocate decision rights, establish escalation discipline, and produce defensible oversight evidence where technology materially affects enterprise outcomes.

Scope of CRGA™

CRGA™ applies where technology-enabled enterprise risk materially affects the enterprise.

Materiality may arise from:

• Cyber risk exposure
• AI and algorithmic system risk
• Identity and access risk
• Operational resilience dependencies
• Regulatory and disclosure obligations
• Third-party and supply chain exposure

CRGA™ governs oversight architecture across domains. It does not replace domain-specific controls.

CRGA™ Governance Domains

CRGA™ is structured across governance domains reflecting materially significant risk categories. Each domain establishes oversight ownership, escalation discipline, and documented accountability.

1. Cyber Risk Governance

Oversight of enterprise exposure to cyber threats, operational disruption, data compromise, and systemic vulnerability.

This domain defines:

• Clear board-level ownership
• Executive accountability assignment
• Escalation discipline
• Defensible oversight evidence

2. AI & Algorithmic Risk Governance

Oversight of AI-enabled systems, algorithmic decision environments, agentic workflows, delegated machine authority, automated decision pathways, and human-agent operating structures where material enterprise risk may arise.

This domain establishes:

• Designated executive oversight authority for AI-enabled and agentic systems
• Governance boundaries for delegated machine authority
• Risk visibility into AI system exposure and automated decision pathways
• Escalation discipline for material AI-related risk conditions
• Defensible oversight evidence for human-agent operating structures

3. Identity & Access Risk Governance

Oversight of identity infrastructure, privileged access environments, and trust boundaries materially affecting enterprise security and operational integrity.

This domain establishes:

• Clear executive ownership of identity risk
• Escalation discipline
• Board-level visibility into systemic identity risk
• Defensible oversight evidence

Architectural Extension

Additional domains may be admitted where technology-enabled enterprise risk materially affects fiduciary accountability.

As new technology domains mature — including advanced automation, autonomous systems, decentralized architectures, or other materially significant innovations — governance oversight may be extended within the same architecture of ownership, escalation, documentation, and defensibility as materially significant technology domains evolve.

Governance domains are architectural. Execution remains domain-specific.

These domains represent governance scope, not operational specialization.

What CRGA™ Is

CRGA™ is a governance architecture.

It defines decision rights, escalation discipline, accountability structures, and defensible oversight evidence for technology-enabled enterprise risk.

It provides structural integrity to fiduciary responsibility across environments shaped by digital infrastructure, automated systems, and algorithmic decision-making.

Governance architecture strengthens defensibility through defined oversight, not technical implementation.

What CRGA™ Is Not

CRGA™ is not an operational service provider, cybersecurity product, software platform, control framework, or certification program.

It does not deliver cybersecurity operations, managed services, software implementation, audits, or compliance execution.

It does not prescribe technical controls, conduct audits, or perform remediation.

CRGA™ governance architecture must remain structurally independent from the entities responsible for implementing technical controls or delivering operational services.

It may not be certified, defined, or represented by execution providers. Any such representation is unauthorized unless explicitly granted in writing by Praesidium Governance, Inc.

This separation preserves fiduciary clarity, accountability integrity, and defensibility at the board and executive level.

CRGA™ does not govern execution. It governs accountability over execution.