Skip to main content

CC1.2 — Board of Directors / leadership oversight

Status: Partially implemented (founder + CTO + CCO oversight active; formal advisory board target Phase 2) Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28

Trust Services Criteria reference

Governance over internal control is exercised by individuals independent of management. The control covers the existence, composition, and operating cadence of the board (or its equivalent for an early-stage company), the board's oversight of management's risk-management process, and the board's review of the effectiveness of internal control.

How ZeroAuth meets this control

ZeroAuth is an early-stage company. The board-equivalent function during Phase 0–2 is the trio of Agent #1 (founder / CTO), Agent #36 (CCO), and Agent #42 (head of partnerships / business owner).

The plan tree explicitly names these three as the standing reviewers for every phase-exit gate: see docs/plan/bfsi-v1/00-README.md and the monthly cadence row in 06-ways-of-working.md "Phase progress review with Role 1 + Role 28 + Role 36 + Role 42". The trio holds the go / no-go authority at Phase 0 (week 2), Phase 1 (week 12), Phase 2 (week 26), Phase 3 (week 39), and Phase 4 (week 52). A no-go at any gate is the strongest available oversight intervention.

Oversight cadence is fixed in writing. The monthly review on the 1st of the month covers phase exit-gate status. The mid-month risk-register review on the 15th (with Role 40, the risk owner) reviews material risks. The end-of-month cost / spend review (with Role 50, the operations lead) reviews budget vs. actual. Three reviews per month; together they form the management-control loop the board needs to satisfy CC1.2.

The quarterly compliance retrospective (docs/compliance/retros/<year>-<q>.md, per compliance-roadmap-v1.md §8.1) is signed off by both Agent #36 and Agent #1 — that two-signature rule is the load-bearing independence guarantee in the absence of a fully formed external board.

Management's risk-management process is captured in the compliance roadmap §7 ("Open dependencies and risks"). Eight named risks (R-COMP-01 through R-COMP-08) each carry a likelihood, an impact, an owner, and a mitigation plan. R-COMP-01 (DPDP rules notification mid-evidence-period) and R-COMP-08 (cross-border-transfer rule tightening) are the two with the highest "regulatory shift" exposure. The mitigation has an explicit "weekly check in the Friday status post" attached, which lands the risk on the founder's desk every week.

R-COMP-04 (bank pilot 1 contract slip) and R-COMP-05 (RBI sandbox not accepted) are the two highest "customer / regulator decision" exposures; each has a documented fall-back plan that prevents a single external decision from blocking the whole programme.

The board-equivalent review of internal control effectiveness is the Phase exit gate. Phase 0 closes 21 audit findings (tracked in docs/security/audit-findings.md). Phase 1 closes the bank demo (docs/plan/bfsi-v1/02-bank-demo.md — 5 scenes plus the integrity-evidence Scene 5). Phase 2 closes SOC 2 Type I + ISO Stage 1. Phase 3 closes SOC 2 Type II evidence period + ISO Stage 2 certificate issuance. Phase 4 closes mainnet deployment + first paid bank go-live. Each gate is a written go/no-go decision with named signatories from the trio above.

The formal advisory board (3 external members covering BFSI, security, and privacy law) is the gap. It is named in compliance-roadmap-v1.md §3.2 as a Phase 2 target — week 26 — by which point we have the SOC 2 Type I report and the bank pilot contracts as material to share. Until then, the founder + CCO + business-owner trio operates as the board-of-record, with the named external counsel relationships (DPDP counsel, external cryptographer, SOC 2 auditor, ISO certification body) providing independent professional judgement on the matters within their respective scopes.

Evidence references

  • docs/plan/bfsi-v1/06-ways-of-working.md "Monthly cadence" — the three monthly reviews with named attendees.
  • docs/plan/bfsi-v1/03-team.md — the 50-person roster including roles 1, 36, 42, and the KPIs each owns.
  • docs/compliance/compliance-roadmap-v1.md §7 — eight named compliance risks with owner + mitigation.
  • docs/compliance/compliance-roadmap-v1.md §3.1 — Phase 0 exit gate review with Agent #1 + #36 + #42 in week 2.
  • docs/security/audit-findings.md — 21 findings published with status, the artefact of "management is held to account for closing findings."
  • Commit 51bc705 — ADR 0011 — branching workflow that puts main behind PR + CI (oversight enforcement).
  • Commit 5e3b79d — plan tree landed; encodes the monthly oversight cadence in 06-ways-of-working.md.

Open gaps + remediation roadmap

  • External advisory board (3 members) — target Phase 2 week 26 (2026-11-09), per compliance-roadmap-v1.md §3.2.
  • Quarterly board pack template — agenda, materials, minutes capture. Target week 14 (2026-08-24) for first usable template, ahead of the first quarter close.
  • Board independence policy — written conflict-of-interest rules. Target week 26 alongside the advisory-board onboarding.

Test or audit query

cat docs/compliance/retros/2026-q1.md (once the Q1 retro lands week 14) should carry two signature lines: Agent #1 + Agent #36. Absence of either is a control-failure observation.