V

An Accountability Institution for Technology Governance

VORDAN

The Accountability Gap

Vordan publishes the analysis, builds the instruments, and sets the standard. The accountability gap is real. The institution closing it is here.

Subscribe The Instruments

About

The accountability institution technology governance has been missing.

Technology has outpaced the institutions designed to govern it. The gap is not a temporary lag. It is a structural condition. Regulatory frameworks are written for systems that no longer resemble what is being deployed. Audit instruments measure compliance with standards built before the threats they assess existed. Accountability is invoked after failures, not designed before them.

Vordan exists to close that gap. Not by describing it, but by building the infrastructure that closes it. That means a publication that names failures honestly. It means instruments that measure accountability with rigor: the VAF for direct organizational assessment, the VEPA for external posture analysis, the AAB for the governance conditions created by autonomous AI. It means a doctrine that makes accountability a design requirement, not a post-incident response.

Vordan is the institution that sets the standard, conducts the assessment, and publishes the record. Founded in April 2026 by Dominick Costa, a New York-based GRC practitioner and operations leader.

"The organizations that will handle what is coming are the ones that designate accountability before a regulator assigns it for them."

Vordan operates across three layers. The publication: the Accountability Report and Gap Alert: covers the failures that define the gap. The instruments: the VAF, VEPA, and AAB: measure accountability at organizational depth, external posture, and agentic AI governance. The doctrine: Accountable by Design: is the standard that underlies all three.

These are not separate products. They are the architecture of a single institution built on the conviction that accountability is an engineering problem, not a communications problem. It requires deliberate design, not documentation.

The Doctrine

Accountable by Design

The Vordan Doctrine identifies the six structural properties that every accountable governance system must possess. These properties are the foundation on which every Vordan instrument is built. The VAF, VEPA, and AAB each operationalize the Doctrine differently: different subjects, different evidentiary depths, different outputs. The Doctrine is the why. The instruments are the how.

01

Origin

Every system, decision, and output must have an identifiable and accountable source. When origin is obscured by offshore incorporation, distributed architecture, or delegated execution, the accountability chain breaks before it begins.

02

Voice

The parties most affected by a governance failure must have a mechanism to be heard before the decision is made, not after the damage is done. Governance without voice is administration.

03

Traceability

Every decision, action, and output must be traceable to an accountable owner through an unbroken audit trail. Without traceability, accountability is performative. The log must exist, persist, and be independently verifiable.

04

Timing

The dangerous window is not ignorance. It is the gap between when a threat is known and when protection is complete. Governance that operates on annual cycles against threats that move in hours is structurally misaligned.

05

Response

Identifying a gap without a defined response mechanism is observation, not governance. The accountability loop is only closed when the parties who find a problem have the authority, the pathway, and the architecture to fix it.

06

Transparency

Accountability requires a public record. When the gap between what happened and what was disclosed is itself ungoverned, the accountability architecture fails at the final layer. Transparency is not a communications strategy. It is a structural requirement.

Glossary

The Vordan Lexicon

Precision of language is a governance property. Vordan maintains a working glossary of terms used in the publication. These are not standard definitions. They are the definitions that matter for practitioners operating inside the accountability gap.

The Accountability Gap
The structural distance between what a technology is capable of doing and what the institutions responsible for governing it are equipped to oversee. The gap is not a failure of intent. It is a failure of architecture. It grows when technical capability advances faster than governance vocabulary.
Accountable by Design
The principle that governance structures must be built into a system before deployment, not retrofitted after a failure. A system that requires a post-mortem to discover its accountability gaps was not built with accountability in mind.
Governance Theatre
The condition in which an organization produces all the artifacts of a governance program: policies, registers, reports, audit findings, while the underlying risk the program is meant to manage remains unaddressed. Compliant reporting coexisting with invisible systemic failure.
Crypto-Agility
The architectural property of a system that allows cryptographic algorithms to be swapped or updated without requiring a full system redesign. The absence of crypto-agility is why post-quantum migration is an existential infrastructure problem for most organizations, not a configuration change.
Harvest Now, Decrypt Later
An attack strategy in which an adversary intercepts and stores encrypted data today, intending to decrypt it once a cryptographically-relevant quantum computer becomes available. The attack is passive, undetectable, and already economically rational for nation-state actors. The exfiltration window is open now.
The Enforcement Ceiling
The practical upper limit of regulatory enforcement at any given moment, determined not by what the law requires but by what the enforcement apparatus is resourced and willing to pursue. The regulatory floor can be intact while the enforcement ceiling is temporarily lowered, creating compliance gaps that are legally real but operationally invisible.
AAB
The shorthand reference for the Agentic Accountability Baseline, Vordan's framework standard for autonomous AI deployments. Maps every control requirement: agent identity, permission scope, memory governance, activity trail, approval gates, forensics, to an accountability condition. Available at vordan.co/instruments/aab.
VAF
The Vordan Accountability Framework. Vordan's primary organizational assessment instrument, conducted through direct access, practitioner interviews, and evidence production under defined timeframes. Produces the Accountability Gap Score out of 100 across six modules: Origin, Voice, Traceability, Timing, Response, and Transparency. Available at vordan.co/instruments/vaf.
VEPA
The Vordan External Posture Assessment. Evaluates the observable accountability posture of any organization using the public record as its sole evidentiary basis. Requires no organizational cooperation. Produces a Posture Score on a 1–5 scale across six fixed components with mandatory confidence intervals. The reference implementation, VEPA-2026-001, assessed Salesforce's response to the ShinyHunters campaign. Available at vordan.co/instruments/vepa.
Agentic Accountability Gap
The structural gap that emerges when an autonomous AI agent acts on behalf of an organization but no governance architecture exists to answer the fundamental accountability questions: who authorized this action, under whose authority, on what data, through which tools, and with what audit trail. The harness captures what the agent did. The accountability gap is what remains when no one has defined what "sufficient" looks like from a governance standpoint.

The Publication

The Accountability Report & The Gap Alert

Vordan publishes on Sundays and when the intelligence warrants it. The Accountability Report is the full analysis: one governance failure examined thoroughly. The Gap Alert is the urgent signal: something just happened, here is why it matters before the memo arrives.

Sunday: Report When warranted: Alert
Sunday

The Accountability Report

One governance failure examined thoroughly. The full analysis: what happened, what the structure above it allowed to happen, and what closing that gap would actually require. Not a briefing. A reference.

Read the reports →
When the intelligence warrants it

The Gap Alert

Breaking intelligence on accountability failures as they happen. Something just broke, was disclosed, or was quietly buried. Here is the structural gap it exposes, before the memo arrives and the framing hardens.

Read the alerts →

Builds

From Vordan

Vordan does not only name gaps. It closes them. The builds documented here emerge directly from the analysis, products and tools designed from the ground up on the Accountable by Design doctrine.

Beta
AfterMail
by Vordan
What comes after email. A metadata-free communication platform with the familiarity of email and the architecture of a system that has never heard your name.

Every encrypted email provider, no matter how strong its encryption, operates under the laws of the country it is headquartered in. Metadata (IP addresses, device fingerprints, recovery emails, payment records) is never encrypted. No private email company can refuse a valid legal order in their jurisdiction. The encryption holds. The institution above it is a different question entirely.

AfterMail is built on sealed sender architecture at the protocol layer. No user identifiers. No phone numbers. No email addresses. No account linked to any real-world identity. The relay never knows who is sending. Nothing to compel because there is nothing to hand over. The interface looks and feels like email. The architecture underneath it does not resemble email at all.

Built in Rust by a single founder. Beta is live. Invite-only access via waitlist at aftermail.co.

Sealed Sender SimpleX Protocol Zero Metadata Rust E2E Encrypted X25519 ChaCha20-Poly1305
Join the waitlist at aftermail.co →
Read the thesis →
Active
The Instruments
VAF · VEPA · AAB
The accountability measurement architecture. Three instruments, three evidentiary depths, one doctrine.

The VAF assesses organizational accountability from inside, through direct access, practitioner interviews, and evidence production under defined timeframes. The VEPA assesses external posture from the public record alone, requiring no organizational cooperation. The AAB defines what sufficient accountability looks like for autonomous AI deployments.

Together they constitute a complete accountability measurement architecture. No instrument duplicates another. No gap between them is accidental. Each is built on the Vordan Doctrine and produces findings that hold under scrutiny.

VAF: Gap Score / 100 VEPA: Posture Score 1 to 5 AAB: Framework Standard
Explore the instruments at vordan.co/instruments →

Contact

Get in touch.

Vordan is written by Dominick Costa, a New York-based GRC practitioner, cybersecurity analyst, and operations leader. For editorial inquiries, speaking, or governance readiness conversations, reach out directly.

Publication reports.vordan.co LinkedIn linkedin.com/in/dominick-costa Company linkedin.com/company/vordannyc Email hello@vordan.co
"The organizations that will handle what's coming are the ones that designate ownership before a regulator assigns it for them."

Vordan offers pre-audit governance readiness assessments and post-audit accountability gap reviews for organizations that want to close the gap before the failure, not after it.

Inquiries are handled directly and confidentially.

Start a conversation