V

A publication for practitioners inside the gap

VORDAN

The Accountability Gap

Technology moves fast. The rules, oversight, and accountability meant to keep it in check don't. Vordan exists to close that gap.

Subscribe Read the Publication

About

Written for practitioners inside the gap.

There is a gap between how fast technology moves and how slowly the systems meant to govern it respond. You see it when a new AI model ships and the compliance team is still writing the policy for the last one. You see it when a zero-day drops and the audit framework being used to assess it was written before the threat existed.

That gap is not a bug. It is a feature of how institutions work. But somebody has to write about it honestly, aimed at the people actually operating inside it.

That is what Vordan is. A publication for security professionals, risk analysts, compliance leads, and technologists who live at the intersection of advancing capability and lagging governance. Not for executives who need a briefing. For practitioners who need a reference.

"Governance doesn't emerge from a risk register any more than a culture emerges from a handbook. Both require deliberate design, not documentation."

Vordan covers cybersecurity, AI governance, post-quantum cryptography, open source, and digital sovereignty — not as separate beats but as connected pressure points in a single systemic problem.

The doctrine is Accountable by Design: governance architecture built in before deployment, not retrofitted after failure.

Founded by Dominick Costa, a New York-based GRC practitioner and operations leader, Vordan launched in April 2026.

The Framework

Accountable by Design

The Vordan framework identifies the six structural properties that governance systems must possess to close the accountability gap. Organizations that get governance right didn't stumble into it. They built it on purpose, before the audit, before the breach.

01

Traceability

Every decision, action, and output produced by a system or agent must be traceable to an accountable human or organizational owner. Without traceability, accountability is performative.

02

Anticipation

Governance structures must be designed to anticipate categories of risk before they materialize, not respond to incidents after they occur. Reactive governance is governance theatre.

03

Proportionality

The depth of oversight must be proportional to the potential impact of the technology being governed. Not every tool requires the same scrutiny. Misjudging proportionality in either direction creates gaps.

04

Continuity

Governance cannot be periodic when risk is continuous. Systems that drift, adapt, and evolve require oversight that operates at the same cadence — not annual checkpoints that snapshot a moving target.

05

Legibility

Risk must be expressed in language that decision-makers can act on. Technical complexity that cannot be translated into governance terms does not reduce risk — it hides it from the people responsible for managing it.

06

Response

Identifying a gap without a defined response mechanism is observation, not governance. The accountability loop is only closed when the people who find a problem have the authority and the pathway to fix it.

Glossary

The Vordan Lexicon

Precision of language is a governance property. Vordan maintains a working glossary of terms used in the publication. These are not standard definitions — they are the definitions that matter for practitioners operating inside the accountability gap.

The Accountability Gap
The structural distance between what a technology is capable of doing and what the institutions responsible for governing it are equipped to oversee. The gap is not a failure of intent — it is a failure of architecture. It grows when technical capability advances faster than governance vocabulary.
Accountable by Design
The principle that governance structures must be built into a system before deployment, not retrofitted after a failure. A system that requires a post-mortem to discover its accountability gaps was not built with accountability in mind.
Governance Theatre
The condition in which an organization produces all the artifacts of a governance program — policies, registers, reports, audit findings — while the underlying risk the program is meant to manage remains unaddressed. Compliant reporting coexisting with invisible systemic failure.
Crypto-Agility
The architectural property of a system that allows cryptographic algorithms to be swapped or updated without requiring a full system redesign. The absence of crypto-agility is why post-quantum migration is an existential infrastructure problem for most organizations, not a configuration change.
Harvest Now, Decrypt Later
An attack strategy in which an adversary intercepts and stores encrypted data today, intending to decrypt it once a cryptographically-relevant quantum computer becomes available. The attack is passive, undetectable, and already economically rational for nation-state actors. The exfiltration window is open now.
The Enforcement Ceiling
The practical upper limit of regulatory enforcement at any given moment, determined not by what the law requires but by what the enforcement apparatus is resourced and willing to pursue. The regulatory floor can be intact while the enforcement ceiling is temporarily lowered — creating compliance gaps that are legally real but operationally invisible.

The Publication

The Accountability Report & The Gap Alert

Vordan publishes on Sundays and when the intelligence warrants it. The Accountability Report is the full analysis — one governance failure examined thoroughly. The Gap Alert is the urgent signal — something just happened, here is why it matters before the memo arrives.

Sunday — Report When warranted — Alert

The Accountability Report  ·  Issue Three  ·  May 3, 2026

Proton's Promise Doesn't Scale

Three cases. One pattern. What happens when a privacy institution scales faster than its accountability architecture.

Read the issue →

The Gap Alert  ·  Issue Three  ·  May 1, 2026

The System Worked. Eight People Died Anyway.

What Tumbler Ridge reveals about the accountability architecture above your AI.

Read the issue →

The Accountability Report  ·  Issue One  ·  April 20, 2026

The Tool Always Arrives Before the Rule

Why the accountability gap between technical capability and governance is not a bug — it is the defining feature of every technology cycle. And why this cycle is different.

Read the issue →

The Accountability Report  ·  Issue Two  ·  April 27, 2026

When the Agent Acts, Who Answers?

The accountability gap just went machine speed. Autonomous agents that detect, hunt, and respond in seconds. The governance architecture to hold them accountable hasn't been built.

Read the issue →

The Gap Alert  ·  Issue One  ·  April 22, 2026

The Vercel OAuth Breach

A third-party integration failure that exposed the structural gap between vendor trust and governance oversight. What it means for organizations running on federated identity.

Read the issue →

The Gap Alert  ·  Issue Two  ·  April 30, 2026

The Attack Is Already in Progress

Harvest now, decrypt later. The post-quantum cryptography governance failure. OMB missed its first deadline. The adversary storing your 2024 traffic doesn't need to understand ML-KEM. They need storage.

Read the issue →

Builds

From Vordan

Vordan does not only name gaps. It closes them. The builds documented here emerge directly from the analysis — products and tools designed from the ground up on the Accountable by Design doctrine.

In Development
AfterMail
by Vordan
What comes after email. The first metadata-free communication platform built with the familiarity of email and the architecture of Signal.

Every encrypted email provider, no matter how strong its encryption, operates under the laws of the country it is headquartered in. Metadata — IP addresses, device fingerprints, recovery emails, payment records — is never encrypted. No private email company can refuse a valid legal order in their jurisdiction. The encryption holds. The institution above it is a different question entirely.

AfterMail is built on SimpleX at the protocol layer and Nym at the network layer. No user identifiers. No phone numbers. No email addresses. No account linked to any real world identity. Nothing to compel because there is nothing to hand over. The interface looks and feels like email. The architecture underneath it does not resemble email at all.

The build is documented in public on Vordan's Substack. The technical co-founder conversation is open. If you are the engineer who should build this, reach out directly.

SimpleX Protocol Nym Mixnet Zero Metadata Rust E2E Encrypted Subscription
hello@vordan.co — Co-founder inquiry →

The Publication

Join practitioners inside the gap.

Every Sunday and when the intelligence warrants it. No noise. No vendor content. Analysis written for the people who have to act on it.

Subscribe on Substack

Contact

Get in touch.

Vordan is written by Dominick Costa, a New York-based GRC practitioner, cybersecurity analyst, and operations leader. For editorial inquiries, speaking, or governance readiness conversations, reach out directly.

Publication vordan.substack.com LinkedIn linkedin.com/in/dominick-costa Company linkedin.com/company/vordannyc Email hello@vordan.co
"The organizations that will handle what's coming are the ones that designate ownership before a regulator assigns it for them."

Vordan offers pre-audit governance readiness assessments and post-audit accountability gap reviews for organizations that want to close the gap before the failure, not after it.

Inquiries are handled directly and confidentially.

Start a conversation