Clarification

What CRGA™ Is Not

Governance Authority, Execution Boundaries, and the Limits of Operational Service Models

PD-CLAR-001 Version 1.0 May 2026 Boundary Statement Published

Purpose of This Clarification

This publication defines what Cyber Risk Governance & Accountability™ (CRGA™) does not include, does not claim, and does not authorize. It exists because categories are defined as much by their boundaries as by their contents. As CRGA™ becomes more widely referenced, the risk of misapplication — deliberate or inadvertent — increases. This clarification is a permanent institutional record of those boundaries.

Boundary Statements

Three misreadings of CRGA™ are addressed below. Each is stated plainly, corrected precisely, and explained in terms of why the distinction matters institutionally.

CRGA™ is not a consulting service or advisory engagement. The misreading: "Praesidium advises organizations on their governance programs."

Praesidium Governance, Inc. does not provide consulting engagements, advisory retainers, or operational governance services to client organizations. CRGA™ is a governance category — a defined layer of institutional accountability — not a service offering. Praesidium defines, stewards, and publishes the standards of that category. Execution within the category is performed by qualified execution partners, not by Praesidium.

Why this boundary matters: If the category steward also executes within the category, structural independence collapses. The integrity of CRGA™ as a governance standard depends on Praesidium's independence from operational delivery. This is not a positioning preference. It is a design requirement.

II.

CRGA™ is not a cybersecurity framework, compliance program, or control standard. The misreading: "CRGA™ is a governance layer built on top of NIST, ISO, or SOC 2."

CRGA™ operates above the domain of security controls, compliance requirements, and technical frameworks. It does not extend, certify, or replace those frameworks. Organizations may use any operational security framework they choose. CRGA™ addresses a different question entirely: how decision rights, escalation authority, and accountability for technology-enabled risk are structured at the board and institutional level — independent of which controls are in use beneath that layer.

Why this boundary matters: Conflating governance architecture with control frameworks reduces the governance question to a technical one. Boards do not govern controls. They govern accountability. CRGA™ addresses the latter. Positioning it as a framework overlay misrepresents its function and dilutes its institutional standing.

III.

CRGA™ governance authority is not the same as execution capability. The misreading: "If an organization has strong security operations, they have CRGA™."

Governance authority and execution capability are structurally distinct. An organization may have exceptional security operations, a mature vCISO program, and robust incident response capacity — and still have no defined governance architecture for technology-enabled risk. Execution capability addresses how risk is managed. Governance authority addresses how decisions about that risk are made, escalated, documented, and held accountable at the institutional level. One does not substitute for the other.

Why this boundary matters: When institutions treat operational maturity as governance maturity, they leave the board accountability layer undefined. That gap is precisely what CRGA™ addresses. Allowing the conflation to stand would make the category indistinguishable from the execution layer it is designed to govern.

Positive Restatement

What CRGA™ Is

Having defined the boundaries, the following table restates what CRGA™ affirmatively includes, for reference alongside the boundary statements above.

Board and committee governance structure for technology-enabled risk

Operational security controls, tooling, or detection capabilities

Decision-rights architecture — who holds authority to decide, escalate, or defer

Compliance audits, certifications, or regulatory filings

Escalation discipline — defined thresholds and protocols for board-level awareness

vCISO services, managed security, or incident response delivery

Oversight evidence standards — institutional records of how governance was exercised

Advisory engagements, governance consulting, or client service relationships

Governing Principle

Governance authority must remain structurally independent from execution capability. Where that independence is absent — by design or by drift — the institution's ability to demonstrate defensible oversight is weakened. CRGA™ exists to define and protect that independence at the categorical level.

Cross-References

Affirmative Publications This Clarification Supports

The Governance Architecture Thesis: Why Technology-Enabled Enterprise Risk Requires a Distinct Governance Layer PD-DOCTRINE-001
What We Mean by Governance Architecture PD-DEF-001
Cyber Is Not the Category: Why Governance Must Sit Above Operational Technology Domains PD-NOTE-003
Structural Independence in Governance: Why Category Stewardship Must Remain Separate from Execution PD-DOCTRINE-002 — forthcoming
What We Mean by Structural Independence PD-DEF-002 — forthcoming

Related Definitions

Publication Use Notice

This publication is provided by Praesidium Governance, Inc. for governance education, institutional review, and category-architecture reference. It does not constitute legal, regulatory, technical, certification, assurance, attestation, or operational advice. Use of this publication is subject to Praesidium's published Legal Notice, Terms of Use, and Disclosures. CRGA™ and Cyber Risk Governance & Accountability™ are trademarks of Praesidium Governance, Inc.

← Back to Clarifications