V

A publication for practitioners inside the gap

VORDAN

The Accountability Gap

Technology moves fast. The rules, oversight, and accountability meant to keep it in check don't. Vordan exists to close that gap.

Subscribe Read the Publication

About

Written for practitioners inside the gap.

There is a gap between how fast technology moves and how slowly the systems meant to govern it respond. You see it when a new AI model ships and the compliance team is still writing the policy for the last one. You see it when a zero-day drops and the audit framework being used to assess it was written before the threat existed.

That gap is not a bug. It is a feature of how institutions work. But somebody has to write about it honestly, aimed at the people actually operating inside it.

That is what Vordan is. A publication for security professionals, risk analysts, compliance leads, and technologists who live at the intersection of advancing capability and lagging governance. Not for executives who need a briefing. For practitioners who need a reference.

"Governance doesn't emerge from a risk register any more than a culture emerges from a handbook. Both require deliberate design, not documentation."

Vordan covers cybersecurity, AI governance, post-quantum cryptography, open source, and digital sovereignty — not as separate beats but as connected pressure points in a single systemic problem.

The doctrine is Accountable by Design: governance architecture built in before deployment, not retrofitted after failure.

Founded by Dominick Costa, a New York-based GRC practitioner and operations leader, Vordan launched in April 2026.

The Framework

Accountable by Design

The Vordan framework identifies the six structural properties that governance systems must possess to close the accountability gap. Organizations that get governance right didn't stumble into it. They built it on purpose, before the audit, before the breach.

01

Traceability

Every decision, action, and output produced by a system or agent must be traceable to an accountable human or organizational owner. Without traceability, accountability is performative.

02

Anticipation

Governance structures must be designed to anticipate categories of risk before they materialize, not respond to incidents after they occur. Reactive governance is governance theatre.

03

Proportionality

The depth of oversight must be proportional to the potential impact of the technology being governed. Not every tool requires the same scrutiny. Misjudging proportionality in either direction creates gaps.

04

Continuity

Governance cannot be periodic when risk is continuous. Systems that drift, adapt, and evolve require oversight that operates at the same cadence — not annual checkpoints that snapshot a moving target.

05

Legibility

Risk must be expressed in language that decision-makers can act on. Technical complexity that cannot be translated into governance terms does not reduce risk — it hides it from the people responsible for managing it.

06

Response

Identifying a gap without a defined response mechanism is observation, not governance. The accountability loop is only closed when the people who find a problem have the authority and the pathway to fix it.

Glossary

The Vordan Lexicon

Precision of language is a governance property. Vordan maintains a working glossary of terms used in the publication. These are not standard definitions — they are the definitions that matter for practitioners operating inside the accountability gap.

The Accountability Gap
The structural distance between what a technology is capable of doing and what the institutions responsible for governing it are equipped to oversee. The gap is not a failure of intent — it is a failure of architecture. It grows when technical capability advances faster than governance vocabulary.
Accountable by Design
The principle that governance structures must be built into a system before deployment, not retrofitted after a failure. A system that requires a post-mortem to discover its accountability gaps was not built with accountability in mind.
Governance Theatre
The condition in which an organization produces all the artifacts of a governance program — policies, registers, reports, audit findings — while the underlying risk the program is meant to manage remains unaddressed. Compliant reporting coexisting with invisible systemic failure.
Crypto-Agility
The architectural property of a system that allows cryptographic algorithms to be swapped or updated without requiring a full system redesign. The absence of crypto-agility is why post-quantum migration is an existential infrastructure problem for most organizations, not a configuration change.
Harvest Now, Decrypt Later
An attack strategy in which an adversary intercepts and stores encrypted data today, intending to decrypt it once a cryptographically-relevant quantum computer becomes available. The attack is passive, undetectable, and already economically rational for nation-state actors. The exfiltration window is open now.
The Enforcement Ceiling
The practical upper limit of regulatory enforcement at any given moment, determined not by what the law requires but by what the enforcement apparatus is resourced and willing to pursue. The regulatory floor can be intact while the enforcement ceiling is temporarily lowered — creating compliance gaps that are legally real but operationally invisible.

The Publication

The Accountability Report & The Gap Alert

Vordan publishes every Sunday and Wednesday. The Accountability Report is the full analysis — one governance failure examined thoroughly. The Gap Alert is the urgent signal — something just happened, here is why it matters.

Sunday — Report Wednesday — Alert

The Accountability Report  ·  Issue One  ·  April 20, 2026

The Tool Always Arrives Before the Rule

Why the accountability gap between technical capability and governance is not a bug — it is the defining feature of every technology cycle. And why this cycle is different.

Read the issue →

The Accountability Report  ·  Issue Two  ·  April 27, 2026

When the Agent Acts, Who Answers?

The accountability gap just went machine speed. Autonomous agents that detect, hunt, and respond in seconds. The governance architecture to hold them accountable hasn't been built.

Read the issue →

The Gap Alert  ·  Issue One  ·  April 22, 2026

The Vercel OAuth Breach

A third-party integration failure that exposed the structural gap between vendor trust and governance oversight. What it means for organizations running on federated identity.

Read the issue →

The Gap Alert  ·  Issue Two  ·  April 30, 2026

The Attack Is Already in Progress

Harvest now, decrypt later. The post-quantum cryptography governance failure. OMB missed its first deadline. The adversary storing your 2024 traffic doesn't need to understand ML-KEM. They need storage.

Read the issue →

The Publication

Join practitioners inside the gap.

Every Sunday and Wednesday. No noise. No vendor content. Analysis written for the people who have to act on it.

Subscribe on Substack

Contact

Get in touch.

Vordan is written by Dominick Costa, a New York-based GRC practitioner, cybersecurity analyst, and operations leader. For editorial inquiries, speaking, or governance readiness conversations, reach out directly.

Publication vordan.substack.com LinkedIn linkedin.com/in/dominick-costa Company linkedin.com/company/vordannyc Email hello@vordan.co
"The organizations that will handle what's coming are the ones that designate ownership before a regulator assigns it for them."

Vordan offers pre-audit governance readiness assessments and post-audit accountability gap reviews for organizations that want to close the gap before the failure, not after it.

Inquiries are handled directly and confidentially.

Start a conversation